The book you are holding is the result of 20 years of experience in the IT world; over 15 years of virtualization experience that started with VMware, Virtual PC, and now HyperV; and many years focusing on public cloud solutions, especially Microsoft Azure. My goal for this book is simple: to make you knowledgeable and effective in architecting and managing an Azurebased public cloud environment. If you were to look at the scope of Azure functionality in a single book, that book would be the size of the Encyclopedia Britannica. My focus for this book is the infrastructurerelated services, including virtual machines in Azure, storage, networking, and some complementary technologies. I will also show you how to automate processes using technologies such as PowerShell, how to integrate Azure with your onpremises infrastructure to create a hybrid solution, and how to use Azure as a disaster recovery solution. Although public cloud infrastructure services are relatively new, Microsoft is one of only two vendors that qualifi es as a leader for a solution in the public cloud Infrastructure as a Service (IaaS) Gartner Magic Quadrant. In addition, Azure is being used by many of the largest companies in the world.
John Savill Acquisitions Editor: Mariann Barsolo Development Editor: Mary Ellen Schutz Production Editor: Dassi Zeidel Copy Editor: Liz Welch Editorial Manager: Pete Gaughan Production Manager: Kathleen Wisor Associate Publisher: Jim Minatel Book Designers: Maureen Forys, Happenstance Type-O-Rama; Judy Fung Proofreader: Kathy Pope, Word One New York Indexer: Ted Laux Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: ©Getty Images, Inc./ColorBlind Images Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-00327-4 ISBN: 978-1-119-00328-1 (ebk.) ISBN: 978-1-119-00329-8 (ebk.) No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 7486011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (877) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2015935401 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission Microsoft and Azure are trademarks or registered trademarks of Microsoft Corporation All other trademarks are the property of their respective owners John Wiley & Sons, Inc is not associated with any product or vendor mentioned in this book 10 For my wife Julie and my children Abby, Ben, and Kevin Acknowledgments I could not have written this book without the help and support of many people First, I need to thank my wife Julie for putting up with me being busier than usual for the last months and for picking up the slack as always, and for always supporting the crazy things I want to do! My children, Abby, Ben, and Kevin, make all the work worthwhile and can always make me see what is truly important with a smile Thanks to my parents for raising me to have the mind-set and work ethic that enables me to accomplish the many things I while maintaining some sense of humor Of course, the book wouldn’t be possible at all without the Wiley team: acquisitions editor Mariann Barsolo, developmental editor Mary Ellen Schutz, production editor Dassi Zeidel, copy editor Liz Welch, proofreader Kathy Pope, and indexer Ted Laux Many people have helped me over the years with encouragement and technical knowledge, and this book is the sum The following people helped with specific aspects of this book, and I wanted to mention them for helping make this book as good as possible—if I’ve missed anyone, I’m truly sorry: Scott Guthrie, Mark Russinovich, Corey Sanders, Kenaz Kwa, Mahesh Thiagarajan, Michael Leworthy, David Powell, Paul Kimbel, Aashish Ramdas, Manoj K Jain, Praveen Vijayaraghavan, Andrew Zeller, Girija Sathyamurthy, Steve Cole, Eric Orman, Sirius Kuttiyan, Gautam Thapar, Karandeep Anand, Yochay Kiriaty, Justin Hall, Nasos Kladakis, Shreesh Dubey, Ganesh Srinivasan, Narayan Annamalai, Dean Wells, Leonidas Rigas, Ziv Rafalovich, Yousef Khalidi, Eamon O’Reilly, Beth Cooper, Rob Davidson, Brannan Matherson, Chris Van Wesep, Mark Sorenson, David Browne, Drew McDaniel, Pat Filoteo, Yu-Shun Wang, and Marie Honoré-Grant at Gartner About the Author John Savill is a technical specialist who focuses on Microsoft core infrastructure technologies, including Microsoft Azure, Windows, Hyper-V, System Center, and anything that does something cool He has been working with Microsoft technologies for 20 years and is the creator of the highly popular NTFAQ.com website and a senior contributing editor for Windows IT Pro magazine He has written six previous books covering Hyper-V, Windows, and advanced Active Directory architecture When he is not writing books, he regularly writes magazine articles and white papers He also creates a large number of technology videos, which are available on his YouTube channel, www.youtube.com/ ntfaqguy, and regularly presents online and at industry-leading events, including TechEd and Windows Connections As of this writing, he had just completed running his annual online John Savill Master Class—it was even bigger than last year He also hosts annual Hyper-V, Azure, and PowerShell Master Classes that provide technical goodness Outside of technology, John enjoys teaching and training in martial arts including Krav Maga and Jiu-Jitsu; spending time with his family; and participating in any kind of event that involves running in mud, crawling under electrified barbed wire, running from zombies, and generally pushing limits While writing this book, John was training for his first (and only) IRONMAN Triathlon John updates his blog at www.savilltech.com/blog with the latest news of what he is working on BACKUP DOMAIN CONTROLLERS • CLOUDXPLORER TOOL B Backup Domain Controllers (BDCs), 174 backups IaaS, 33–34 importance, 322 overview, 223–225, 224–225 virtual machines, 248–249 bandwidth CDN, 15 costs, 38–39 ExpressRoute, 165–168 high-performance gateways, 155 on-premises gateways, 158 virtual machines, 39 virtual network-to-virtual network connectivity, 160 barriers to Azure overview, 315–316 risks See risks trust building, 316 Basic tier for Websites, 295 BDCs (Backup Domain Controllers), 174 best-effort IaaS, 16–17, 17 BGP (Border Gateway Protocol), 144–145 Binary Large Objects (BLOBs) Azure Backup, 224–225 Azure BLOB Cache, 79 CDN, 15 copying, 88–89 deleting, 73–74 description, 14 snapshots, 248–249 for VHD storage, 68 ZDR, 78 BitCoin, 319 BitLocker encryption, 91, 324–326 blades racks for, 63 virtual machines, 48–53, 48–49 BLOBs See Binary Large Objects (BLOBs) Border Gateway Protocol (BGP), 144–145 Bring Your Own Device (BYOD) environments, 309 Bring Your Own IT (BYoIT), 318–319 broadcast traffic, 107 brownouts, 320 bulk import/export, 91 bursting, 7–8, Business Edition for databases, 15 | BYOD (Bring Your Own Device) environments, 309 BYoIT (Bring Your Own IT), 318–319 C caching, 79–80, 80 capacity planning in Azure Operational Insights, 312 CDN (Content Delivery Network), 15 certificates, management, 240–242 change tracking in Azure Operational Insights, 312 Channel site, 331 checkpoints domain controllers, 179 PowerShell, 301 Choose A Load Balanced Set blade, 118 CIDR (Classless Inter-Domain Routing) notation, 125–126 subnet format, 115 Cisco ASA devices, 160 Citrix NetScaler, 137 Classless Inter-Domain Routing (CIDR) notation, 125–126 subnet format, 115 client images in MSDN Azure subscriptions, 40, 40 Cloud App Discovery tool, 188 Cloud Critical bugs, 318 cloud overview introduction, 2–3, private, 3–5, public, 5–9, service types, 9–11, 9–10 Titanfall game, 1, Cloud Platform System (CPS), 289–290 cloud services, 95 basics, 95–101, 97, 99–100 protecting, 206–210, 208 types, 9–11, 9–10 VIPs, 102–105, 102, 104, 106 virtual machines, 45 Cloud Services setting, 25 cloudapp.net namespace cloud services, 95–96, 101 virtual machines, 45 CloudLink, 326 CloudXplorer tool, 90, 90 347 348 | CLUSTERS • DIRECT SERVER RETURN clusters Azure architecture, 63–64, 63 disaster recovery, 202–203 overview, 203–204 CMDB (Configuration Management Database), 274 CNAME records creating, 101 Traffic Manager, 297–298 command bars for Azure portals, 42, 42 Common Tasks For Managing Images settings, 258 compute capacity in cloud, Configuration Management Database (CMDB), 274 Configure Point-To-Site Connectivity option, 162 Connect-Azure.ps1 script, 304–305 Connect-VpnS2SInterface cmdlet, 150 connections Azure AD, 191–194, 192–193 Azure Automation, 304–305, 305 virtual machines, 65 connectivity See external connectivity; onpremises connectivity Content Delivery Network (CDN), 15 Contributor role in RBAC, 54 cores cloud services support, 99 limits, 25 costs IaaS See Infrastructure as a Service (IaaS) site-to-site VPNs, 164 virtual machines, CPS (Cloud Platform System), 289–290 CPU percentage chart, 50, 50 CPU utilization charts, 99 Create a host record option, 101 Create A Load Balanced Set option, 118 Create A Virtual Machine wizard, 43–47, 44–47 Create A Volume Wizard, 82 Create an alias record option, 101 Create An Availability Set option, 233 Create Gateway button, 149 Create VM blade, 52, 52, 233 critical applications, 202 Cutler, Dave, 62 D dashboard Azure AD, 188, 194 cloud services, 96, 99, 99 Fabric Health Dashboard, 272 Operational Insights, 312 runbook execution, 305 virtual machines, 47, 50–51, 51 virtual networks, 149–151 data breaches, 322–323 data disks for virtual machines, 68 data loss, 322 Data Management tab for virtual machines, 39 Data Protection Manager (DPM), 222–224, 224–225, 272 data security in site-to-site VPNs, 164 Database as a Service (DBaaS), 284–285 databases for Microsoft Azure Data Services, 14–15 Datacenter Edition for System Center, 266–267, 267 datacenter infrastructure in cloud, David Chappell and Associates, 316 DBaaS (Database as a Service), 284–285 DC Locator DNS Records Not Registered By The DCs option, 181 DCs See domain controllers (DCs) Deallocated state in virtual machines, 102–103 Dear Azure site, 331 default routes in forced tunneling, 156 deleting BLOBs, 73–74 cloud services, 96 endpoints, 114–115 virtual machines, 73–74, 133 Denial of Service (DoS) attacks, 320 dependencies in Websites, 292 deployment slots in Websites, 292–293 deprovisioning App Controller for, 271 Azure AD, 185 Azure Automation for, 236 Orchestrator for, 274 reserved resources, 103–104 services, 55 virtual machines, Desired State Configuration (DSC), 252–253, 269 destination IP in network security groups, 139 destination ports in network security groups, 139 Dev slots in Websites, 292–293 DHCP (Dynamic Host Configuration Protocol) VIPs, 106, 109 for virtual machines, 136, 179 106, 109 DIP (dynamic IP), 106–109, Direct Server Return (DSR), 113 DIRECTORY INTEGRATION TAB • FABRIC ELEMENTS Directory Integration tab, 194 disaster recovery (DR), 201 ASR See Azure Site Recovery (ASR) backups, 223–225, 224–225 cloud for, ExpressRoute, 167 IaaS, 35 planning, 201–205 replication, 205–210, 208 disk images, 84 Disk Manager, 72 DNS See Domain Name System (DNS) settings, 130 domain controllers (DCs), 330 considerations, 179–180 creating, 180–182, 182 placing, 178 read-only, 182–183 Domain Name System (DNS) Active Directory, 173–174, 173–174 AD sites, 175, 181 cloud services, 95, 98–99, 101 limits, 25 VIPs, 109 virtual machines, 136 virtual networks, 127 DoS (Denial of Service) attacks, 320 Download VPN Device Script link, 150 DPM (Data Protection Manager), 222–224, 224–225, 272 DR See disaster recovery (DR) DSC (Desired State Configuration), 252–253, 269 DSR (Direct Server Return), 113 dual use in ExpressRoute, 168 due diligence, 318–319 Dynamic Host Configuration Protocol (DHCP) VIPs, 106, 109 for virtual machines, 136, 179 106, 109 dynamic IP (DIP), 106–109, dynamic routing gateways, 144–145 E Edit Chart menu, 50, 50 EFS (Encrypted File System), 324 egress charges in virtual network-to-virtual network connectivity, 160 elasticity in private clouds, 5, 276–277 Enable Application Proxy Services option, 310 Enable-PSRemoting cmdlet, 253 -EnableWriteOrderPreservationAcrossDisks parameter, 207 Encrypted File System (EFS), 324 encryption BitLocker, 325–326 data breaches, 323 Import/Export service, 91 overview, 324–325 PowerShell passwords, 241–242 site-to-site VPNs, 144–145 static routing gateways, 145 endpoints, 109 ACLs, 115–116 basics, 110–112, 110–111 cloud services, 45–46, 46 creating, 112–114, 113 deleting, 114–115 instance-level IP addresses, 116–117, 117 virtual machines, 45–46, 45–46 Enhanced Security Configuration (ESC), 285 enterprise enrollments, 21–25, 22–23 Enterprise Mobility Suite, 190 ESC (Enhanced Security Configuration), 285 ESX hypervisor, 281 Ethernet Exchange Point (EXP), 164–166, 165 Existing Single Sign-On feature, 195 expanded services in ExpressRoute, 167 export, bulk, 91 Export-CliXml cmdlet, 242 exposed software, 317 ExpressRoute, 164 BGP peering sessions, 156 Ethernet Exchange Point, 164–166, 165 fundamentals, 164 key points, 167–168 Network Service Provider, 166–167, 166 external connectivity, 95 cloud services, 95 basics, 95–101, 97, 99–100 VIPs, 102–105, 102, 104, 106 virtual machines, 45 endpoints See endpoints load-balanced sets, 117–122, 117, 119, 121 external replication, 208–209 F fabric elements, controllers in Microsoft Azure Compute, 13 IaaS costs, 31–33 | 349 350 | FABRIC HEALTH DASHBOARD • GETAZUREVNETGATEWAYDIAGNOSTICS CMDLET Fabric Health Dashboard, 272 fail fast strategy, Failover Cluster Manager, 204 Failover Clustering, 203–204 Failover option in load balancing, 298 Fast Format option, 70 fault domains in availability sets, 228–231, 228, 230–231 Featured Applications list, 195 Federal Information Processing Standard (FIPS), 323 federation in Azure AD, 185–188, 185, 188 files in Microsoft Azure Data Services, 14 filtered attributes in RODCs, 182 FIPS (Federal Information Processing Standard), 323 firewalls network security groups, 172 networks, 138 virtual machines, 116, 250 WAP, 286–287 Flexible Single Master Operation (FSMO) roles, 181 floor space for datacenters, 2–3, forced tunneling, 156–157, 157 Forced Unit Access (FUA), 179 FQDNs (fully qualified domain names), 136 Free tier for Websites, 294–295 free trials, 18 FSMO (Flexible Single Master Operation) roles, 181 FTP servers, 296, 296 FUA (Forced Unit Access), 179 full-volume encryption key (FVEK), 324–325 fully qualified domain names (FQDNs), 136 G Gartner quadrants, 327–328, 327–328 gateways for site-to-site VPNs creating, 146–151, 147–150 dynamic routing gateways, 144–145 high-performance, 155 internals and maximum speed, 152–155, 153–154 multiple on-premises gateway connections, 158–159, 158 subnets, 153–154 troubleshooting, 151–152 GC (Global Catalog) servers, 181 Generic Routing Encapsulation (GRE) packets, 127 Geo-redundant Storage (GRS) ASR, 214 for data loss, 322 replication, 209–210 storage accounts, 78 Get-AzureDeployment cmdlet, 98 Get-AzureDisk cmdlet, 76, 133, 244 Get-AzureEndpoint cmdlet, 111–112, 120 Get-AzureLocation cmdlet, 244 Get-AzureNetworkSecurityGroup cmdlet, 140–142 Get-AzurePublishSettingsFile cmdlet, 240 Get-AzureRemoteDesktopFile cmdlet, 246 Get-AzureReservedIP cmdlet, 104 Get-AzureResourceGroupGalleryTemplate cmdlet, 261–262 Get-AzureRole cmdlet, 98, 117 Get-AzureRouteTable cmdlet, 157 Get-AzureService cmdlet, 243–244 availability sets, 228 cloud services, 98 load-balanced sets, 122 Get-AzureStaticVNetIP cmdlet, 136 Get-AzureStorageAccount cmdlet, 89, 243 Get-AzureStorageBlobCopyState cmdlet, 88–89 Get-AzureStorageFile cmdlet, 86 Get-AzureStorageFileContent cmdlet, 86 Get-AzureSubscription cmdlet, 242 Get-AzureTrafficManagerProfile cmdlet, 300 Get-AzureVM cmdlet ACLs, 116 Azure VM Agent, 251 data disks, 246 endpoints, 111, 114 IP addresses, 116–117 load-balanced sets, 119–122 management certificates, 242 network security groups, 141 VIPs, 107 virtual machines adding, 133 services, 244 VHDs, 69, 69 Get-AzureVMImage cmdlet, 84, 244, 259 Get-AzureVNetConfig cmdlet, 129–130 Get-AzureVNetGateway cmdlet, 150 Get-AzureVNetGatewayDiagnostics cmdlet, 151–152 GETCLUSTERRESOURCE CMDLET • INSTANTON CLOUD SECURITY FOR MICROSOFT AZURE Get-ClusterResource cmdlet, 204 Get-Command cmdlet, 247 Get-VpnS2sInterface cmdlet, 151 Global Catalog (GC) servers, 181 GRE (Generic Routing Encapsulation) packets, 127 grid view for locations, 244, 245 GridPro connectors, 288 Group Policy, 325 GRS (Geo-redundant Storage) ASR, 214 for data loss, 322 replication, 209–210 storage accounts, 78 H hardware for virtualization, HDD tier in StorSimple, 92 HDInsight service, 15 heat dissipation in datacenters, 2–3, high availability ExpressRoute, 167 IaaS, 35 virtualization for, high-performance S2S gateways, 155 high-performance volumes, 80–83, 82 hijacking accounts, 321–322 home realm discovery, 185 host records, creating, 101 host security modules (HSMs), 326 hostnames for Websites, 296 Hotmail service, 10 HRL (Hyper-V Replica Log) files, 213–214 HRM (Hyper-V Recovery Manager), 211–212, 211–212 HSMs (host security modules), 326 hybrid environments, System Center for See System Center Hype Cycle tool, 328, 328 Hyper-V capabilities, 281 with GRE, 127 virtual environment costs, 31 VM protection with ASR, 218–221, 219–220 Hyper-V Recovery Manager (HRM), 211–212, 211–212 Hyper-V Replica, 207, 211–212, 211–212 Hyper-V Replica Log (HRL) files, 213–214 hypervisors | Hyper-V, 31, 281 replication, 208, 208 in virtualization, 3–4 I IaaS See Infrastructure as a Service (IaaS) IaaS Azure blog, 331 IaaS (Microsoft Azure) Cost Estimator Tool, 41 ICMP for Traffic Manager, 298 -IdleTimeoutInMinutes parameter, 120 IFM (Install From Media) capability, 180 IIS (Internet Information Services), 291 images OS, 84 versions, 44 virtual machines, 258–259, 260 Import-AzurePublishSettingsFile cmdlet, 241 Import/Export service, 91 Import-Module command, 239 Infrastructure as a Service (IaaS), 9–10, Autoscale, 235–237, 237 Azure architecture, 61–64, 62–63 Azure interaction, 54–57, 56 benefits, 29–30, 30 costs Azure, 32–33 comparing, 33–35 on-premises, 30–32 options and licensing, 35–41, 36–37 first steps with, 329–330 Magic Quadrant, 328 16–17 reliable vs best-effort, 16–17, solutions, 33–35 supported configurations, 57–60, 58–59 virtual machine creation, 41 legacy Azure portals, 41–47, 42–47 Preview Azure portals, 47–53, 48–52 WAP, 284–285, 287 InMage Scout Microsoft Migration Accelerator, 223 OS-level replication, 215–216, 216 insecure interfaces, 321 Install From Media (IFM) capability, 180 Install-WindowsFeature cmdlet, 325 117 instance-level IP addresses, 116–117, instances Azure AD, 188, 188 selecting number of, 38 Instant-On Cloud Security for Microsoft Azure, 326 351 352 | INTEGRATED SCRIPTING ENVIRONMENT • LINUX DISTRIBUTIONS Integrated Scripting Environment (ISE), 239, 240, 301 integration packs, 273–275 Intelligence Packs Gallery, 312, 312 IntelliSense, 239, 260 inter-stamp replication, 88 interfaces, insecure, 321 internal load-balanced sets, 120–122, 121 internals for S2S gateways, 152–155, 153–154 international DMZs, cloud for, INTERNET identifier, 140 Internet Information Services (IIS), 291 Internet Key Exchange, 144–145 Internet Protocol Security (IPsec), 144–145, 160, 323 Internet traffic in ExpressRoute, 168 Intersite Topology Generator (ISTG), 174–176 intra-stamp replication, 88 intra-vnet (virtual network) routes in forced tunneling, 156 investment in IaaS, 35 IOPS Azure Storage, 80 standard-tier VMs, 68, 79 storage accounts, 74, 78, 330 throttling, 76 IP addresses Active Directory, 172 ASR, 221–222 clusters, 203–204 instance-level, 116–117, 117 NAT, 172 network security groups, 139 point-to-site VPNs, 162 S2S gateways, 146–148, 148–149, 153, 153 VIPs, 102, 102, 104, 106 virtual machines, 46, 134–136, 134–135 virtual networks, 125–129, 126, 161, 162 IPCONFIG command, 106–107, 109, 174 IPsec (Internet Protocol Security), 144–145, 160, 323 Irregular Sign In Activity report, 198 ISE (Integrated Scripting Environment), 239, 240, 301 ISTG (Intersite Topology Generator), 174–176 J JavaScript Object Notation (JSON), 260–261, 270, 306 JIT (just-in-time) administration, 320 Join A Load Balanced Set blade, 118 joining Active Directories, 183 Journey hub menu, 51, 51 JSON (JavaScript Object Notation), 260–261, 270, 306 just-in-time (JIT) administration, 320 K Keep The Attached Disks option, 74 Kerberos authentication, 184 Key Management Service (KMS), 257 keys in storage accounts, 76 Konube Integrator, 287 L large performance volumes, 80–83, 82 latency affinity groups, 124 Azure regions, 61 disaster recovery, 202–203 ExpressRoute, 164 ICMP, 298 S2S gateways, 154–155 site-to-site VPNs, 164 synchronous replication, 206 virtual machines, 45 virtual network-to-virtual network connectivity, 160 LDNSs (local DNS servers), 297–298, 297 leasing application licenses, 39 legacy Azure portals, 41–47, 42–47 lenses in blades, 48–49, 48 licensing ASR, 222 Azure Open Licensing, 21 IaaS, 35–41, 36–37 replication, 208 System Center, 31, 266–267, 267 virtualization, linked resources for cloud services, 99–100 links for AD sites, 175–176, 177 Linux distributions BitLocker with, 326 endpoints, 110, 114 Hyper-V support, 281 IaaS support, 59 images, 258 InMage Scout support, 216 licensing, 32–33, 38, 45, 45 multiple disks, 83 LOADBALANCED SETS • NETWORK ADDRESS TRANSLATION load-balanced sets internal, 120–122, 121 overview, 117–120, 117, 119 Load Balanced Sets blade, 118 load balancing, 297–298 -LoadBalancerDistribution parameter, 120 local DNS servers (LDNSs), 297–298, 297 Locally Redundant Storage (LRS), 77 settings, 130 locations, returning, 244 logs Azure Operational Insights, 312 firewall installation, 287 HRL, 213–214 loss, data, 322 LRS (Locally Redundant Storage), 77 M Magic Quadrant, 327–328, 327 maintenance, VM availability during, 229–230 malicious insiders, 320 malware protection, 250 man-in-the-middle attacks, 323 manage-bde cmdlet, 325–326 Manage Key icon for S2S gateways, 150 management certificates, 240–242 MAP (Microsoft Assessment and Planning Toolkit), 40 market position, 327–329, 327–328 Master Azure Infrastructure application, 331 Master Target in InMage Scout, 215–216 MAT (Migration Automation Toolkit), 223 maximum speed in S2S gateways, 152–155, 153–154 measured service in clouds, media services, 15 MFA (multifactor authentication), 189, 321 Microsoft Assessment and Planning Toolkit (MAP), 40 Microsoft Azure App Services, 15 Microsoft Azure Compute, 12–14, 12–14 Microsoft Azure Data Services, 14–15 Microsoft Azure (IaaS) Cost Estimator Tool, 41 Microsoft Azure Recovery Services Agent, 218 Microsoft Developer Network (MSDN) subscriptions, 19–21, 20 Microsoft Exchange in replication, 207 Microsoft Global Foundation Services, 61 Microsoft Identity Manager (MIM), 192–193 Microsoft Migration Accelerator, 223 Microsoft Virtual Machine Converter (MVMC), 223 migration ExpressRoute, 168 VMs to Azure, 222–223 Migration Automation Toolkit (MAT), 223 MIM (Microsoft Identity Manager), 192–193 Minasi, Mark, 318 Mobility Service agents, 215–216 modules in PowerShell, 238–239, 239–240 Monitor tab, 99–100, 100 monitoring cloud services, 99–100, 100 SCOM, 271 virtual machines, 249–250 Monitoring lenses, 48, 49 moving VMs to Azure, 256–257 to virtual networks, 133 MPLS (Multiprotocol Label Switching), 2, 166 MSDN Azure subscriptions, 40, 40 MSDN (Microsoft Developer Network) subscriptions, 19–21, 20 multicast traffic, 107 multifactor authentication (MFA), 189, 321 multiple adapters in virtual networks, 137–138, 137 multiple on-premises gateways, VPN 158 connections to, 158–159, Multiprotocol Label Switching (MPLS), 2, 166 MVMC (Microsoft Virtual Machine Converter), 223 My blog, 331 N names AD sites, 175 cloud services, 46, 101 network security groups, 139 virtual machines, 44 virtual networks, 127 NAT (network address translation), 172 National Institute of Standards and Technology (NIST) cloud description, National Security Agency (NSA), 323 Navigation pane for Azure portals, 41–42 network access in clouds, network address translation (NAT), 172 | 353 354 | NETWORK BLADE • PATCHING VIRTUAL MACHINES Network blade, 132 network monitoring in SCOM, 271 network security groups (NSGs) applying, 141–142 overview, 138–139, 139 rules creating, 140–141, 141 overview, 139–140 Network Service Provider ExpressRoute, 166–167, 166 networks cloud, domain controllers, 179 virtual See virtual networks New-AzureAclConfig cmdlet, 116 New-AzureDNS cmdlet, 136, 174 New-AzureNetworkSecurityGroup cmdlet, 140 New-AzureQuickVM cmdlet, 114 New-AzureReservedIP cmdlet, 104 New-AzureResourceGroup cmdlet, 54 New-AzureRoleAssignment cmdlet, 54 New-AzureRouteTable cmdlet, 156 New-AzureService cmdlet, 101 New-AzureStorageAccount cmdlet, 79 New-AzureVM cmdlet, 246, 259 New-AzureVMConfig cmdlet availability sets, 233 endpoints, 114 multiple NICs, 137–138 reserved IPs, 105 VHDs, 256 VM images, 259 VMs, 133 New-AzureVNetGateway cmdlet, 150, 155 New icon for Azure portals, 43, 43 New-Object cmdlet, 242 New-PSDrive cmdlet, 253 New Storage Pool Wizard, 81 New Virtual Disk Wizard, 81 NICs speed, 107–108 virtual networks, 137–138, 137 NIST (National Institute of Standards and Technology) cloud description, No Host Caching option, 79 -NoRDPEndpoint parameter, 114 -NoSSHEndpoint parameter, 114 Notifications hub, 47 Notorious Nine See risks -NoWinRMEndpoint parameter, 114 NSA (National Security Agency), 323 NSGs See network security groups (NSGs) O OData (Open Data Protocol), 14 off-site backups, 224 on-demand self-service, on-premises connectivity, 143 ExpressRoute, 164–168, 165–166 point-to-site VPNs, 162–163, 163 site-to-site VPNs See site-to-site (S2S) VPNs on-premises costs in IaaS, 30–32 on-premises routes in forced tunneling, 156 Online Service Activation (OSA) keys, 21 Open Data Protocol (OData), 14 operating system costs in IaaS, 32 operating systems for virtual machines, Operation Logs tab for S2S gateways, 152 Optimized For Low Downtime option, 214 Optimized For Resources option, 214 272–275, 273 Orchestrator, 55, 57, OS boot disk, 325 OS-level replication, 215–216, 216 OSA (Online Service Activation) keys, 21 -OSState parameter, 258 Owner role in RBAC, 54 P PaaS (Platform as a Service), 9–10, cloud services, 97 Magic Quadrant, 328 WAP, 284–285 Page Blobs option, 39 pagefiles, 67 panes of glass, 283–289, 286, 288–289 partner sites in Azure AD, 186 Password-Based Single Sign-On, 195 passwords Azure AD, 184, 191–195, 193 Azure Files, 86 Azure portals, 42, 45–46 PowerShell, 241–242 risks from, 321 RODCs, 182 Websites, 296 patching virtual machines, 248 PAYASYOUGO FOR AZURE ACCESS • REMOTE DESKTOP PROTOCOL Pay-as-You-Go for Azure access, 18 PDCs (Primary Domain Controllers), 174 Performance option for load balancing, 298 physical plant costs in IaaS, 30–31 PIP (public IP) addresses, 116–117, 117 pizza and Super Bowl, 6–7 planned disaster recovery, 205 planning disaster recovery, 201–205 for service protection, 206–210, 208 for services, 18 plant costs in IaaS, 30–31 Platform as a Service (PaaS), 9–10, cloud services, 97 Magic Quadrant, 328 WAP, 284–285 point-to-site VPNs, 162–163, 163 policy-based VPN, 144 pooling clouds, pools for storage, 81–82, 82 port endpoints, 110 portal limitations, 265–266 power consumption in datacenters, 2–3, power usage effectiveness (PUE), PowerShell, 238 Azure Automation, 300–301 configuring, 239–243 interface options, 247 modules, 238–239, 239–240 working with, 243–247, 245 Preboot eXecution Environment (PXE), 248 predictable bursting, 7–8 Premium Storage, 83–84 Preview Azure portals, 47–53, 48–52 Preview features site, 85 pricing tiers for Websites, 294–295, 295 Primary Domain Controllers (PDCs), 174 primary keys in storage accounts, 76 Primordial storage pools, 81, 82 priorities for network security groups, 139–140 private clouds attributes, 276 implementing, 275–283, 278–279 virtualization in, 3–5, Process Server in InMage Scout, 215–216 production, VIPs in, 105, 106 Production slots for Websites, 293 profiles for Traffic Manager, 298–299, 299 Properties blade for Websites, 296 protocols for network security groups, 139 | provider connectivity in ExpressRoute, 168 provisioning Azure AD, 185 private clouds, 279, 279 virtualization, proxies, reverse, 309–311, 310–311 PSModulePath variable, 238–239 public cloud overview, 5–9, public IP (PIP) addresses, 116–117, 117 PUE (power usage effectiveness), PXE (Preboot eXecution Environment), 248 Q queues for Microsoft Azure Data Services, 14 quorum disks in disaster recovery, 203 R RA-GRS (Read-Access Geo-redundant Storage), 78 racks for blades, 63 RAID/Storage Space technology, 83 RBAC (role-based access control), 53–54 RDFE (Red Dog Front End), 62 RDMA network adapters, 107 RDP See Remote Desktop Protocol (RDP) RDS (Remote Desktop Services) role, 307–309, 307–308 Read-Access Geo-redundant Storage (RA-GRS), 78 Read Host Caching option, 79 read-only databases, 182 read-only domain controllers (RODCs), 182–183 read-write domain controllers (RWDCs), 182–183 Read/Write Host Caching option, 79 Reader role in RBAC, 54 Recommended pricing tiers blade, 52 recovery point objectives (RPOs), 78, 204 recovery time objectives (RTOs), 204 Red Dog Front End (RDFE), 62 redundant backups, 224 regions Azure architecture, 61–62, 62 ExpressRoute, 167 virtual networks, 132, 160–161 Registration key files, 218 reliable IaaS, 16–17, 16 Remote Desktop Protocol (RDP) endpoints, 110, 110 RDS role for, 307 virtual machines, 65–66, 66 355 356 | REMOTE DESKTOP SERVICES • SCVMM Remote Desktop Services (RDS) role, 307–309, 307–308 Remote Spending Limit dialog box, 20 Remove-AzureAccount cmdlet, 242 Remove-AzureNetworkSecurityGroupFromSubnet cmdlet, 141 Remove-AzureRoleAssignment cmdlet, 54 Remove-AzureRouteTable cmdlet, 157 Remove-AzureService cmdlet, 96 Remove-AzureStaticVNetIP cmdlet, 136 Remove-AzureStorageFile cmdlet, 86 Remove-AzureSubnetRouteTable cmdlet, 157 Remove-AzureVM cmdlet, 133 Remove-AzureVNetGatewayDefaultSite cmdlet, 157 replication Active Directory, 175, 175, 180 ASR, 212–215, 213–214 asynchronous vs synchronous, 205–206 OS-level, 215–216, 216 in service protection plans, 206–210, 208 storage accounts, 77 types, 88 reports in Azure AD, 197–198, 197 Representational State Transfer (REST) APIs description, 55, 57 PowerShell, 247 WAP, 284 reserved IPs, 134–136, 134–135 reserved VIPs, 104–105, 104 -ReservedIPName parameter, 133 Resize-AzureVNetGateway cmdlet, 155 resource groups, 53–54 resources Azure, 331 pooling, virtualization, REST (Representational State Transfer) APIs description, 55, 57 PowerShell, 247 WAP, 284 Restart-AzureVM cmdlet, 246 reverse proxies, 309–310, 310–311 Rights Management Services (RMS), 190, 324 risks, 316–317, 317 abuse, 319 data breaches, 322–323 data loss, 322 Denial of Service attacks, 320 due diligence, 318–319 exposed software, 317 interfaces, 321 malicious insiders, 320 Skynet, 324 unauthorized access, 321–322 Riverbed Steelhead WAN optimizer, 137 RMS (Rights Management Services), 190, 324 RODCs (read-only domain controllers), 182–183 role-based access control (RBAC), 53 Round-Robin option in load balancing, 298 routes in forced tunneling, 156 routing gateways in site-to-site VPNs, 144–145 RPOs (recovery point objectives), 78, 204 RTOs (recovery time objectives), 204 rules for network security groups creating, 140–141, 141 overview, 139–140 runbooks Azure Automation, 300–305, 303–304, 306 Orchestrator, 55, 57 Running state in virtual machines, 102–103 Russinovich, Mark, 257, 316, 324 RWDCs (read-write domain controllers), 182–183 S SaaS (Software as a Service), 9–10, 9–10 SActivity icon for virtual machines, 46–47 SANs See storage area networks (SANs) Save-AzureResourceGroupGalleryTemplate cmdlet, 262 Save-AzureVhd cmdlet, 88 Save-AzureVMImage cmdlet, 258–259 scaling and scalability Autoscale, 13, 235–237, 237 Cloud Platform System, 289–290 Microsoft Azure Compute, 13 private clouds, 276–277 SCCM (System Center Configuration Manager), 248, 269 schedulers Azure Scheduler, 306 description, 15 Task Scheduler, 68 SCOM (System Center Operations Manager), 249, 271–272 scratch drives, 67–68 SCVMM See System Center Virtual Machine Manager (SCVMM) SEARCHING AZURE OPERATIONAL INSIGHTS LOGS • SPECIAL PROJECTS searching Azure Operational Insights logs, 312 secondary keys in storage accounts, 76 security ACLs, 115–116, 118, 142 balancing, 318 domain controllers, 178, 182 encryption See encryption ExpressRoute, 164 network security groups, 138–142, 141 proxies, 309 risks See risks SQL Server, 286 and staffing, 34 security IDs (SIDs), 325 Select-AzureSubscription cmdlet, 242–243 self-service for virtual machines, 277, 280, 283 Server Manager, 70, 71 Server Message Block (SMB) protocol, 85 servers in Azure architecture, 63–64, 63 Service Bus in Microsoft Azure App Services, 15 service catalogs, 274–275 service level agreements (SLAs) ExpressRoute, 168 fabric controllers, 13–14 Service Manager, 55, 57 Service Manager Automation (SMA), 55 benefits, 275 WAP, 284 Service Provider Foundation (SPF), 270 service traffic, hijacking, 321–322 services See cloud services Set-AzureAclConfig cmdlet, 116 Set-AzureAvailabilitySet cmdlet, 233, 235 Set-AzureDataDisk cmdlet, 80 Set-AzureLoadBalancedEndpoint cmdlet, 120 Set-AzureNetworkSecurityRule cmdlet, 140 Set-AzureOSDisk cmdlet, 80 Set-AzurePublicIP cmdlet, 116 Set-AzureRoute cmdlet, 156 Set-AzureService cmdlet, 101 Set-AzureStaticVNetIP cmdlet, 136 Set-AzureStorageAccount cmdlet, 79 Set-AzureStorageFileContent cmdlet, 86 Set-AzureSubnet cmdlet, 132 Set-AzureSubnetRouteTable cmdlet, 156–157 Set-AzureSubscription cmdlet, 243 Set-AzureVMaccessExtension cmdlet, 251 Set-AzureVMBGInfoExtension cmdlet, 251 Set-AzureVMCustomScriptExtensions cmdlet, 255 Set-AzureVNetConfig cmdlet, 131 Set-AzureVNetGateway cmdlet, 150 Set-AzureVNetGatewayDefaultSite cmdlet, 157 Set-ExecutionPolicy cmdlet, 68 Set Up Protection For VMM Clouds option, 218 Set-VMReplication cmdlet, 207 Settings blade for Websites, 296 Shadow IT, 318–319 shared storage for disaster recovery, 202 Shared tier for Websites, 294–295 shutdown in virtual machines, 103 SIDs (security IDs), 325 Sign Ins from IP Addresses with Suspicious Activity report, 197 Sign Ins from Multiple Geographies report, 198 Sign Ins from Possibly Infected Devices report, 198 286, 288–289 single panes of glass, 283–289, Single Sign-On in Azure AD, 187–188, 195 site configuration in Active Directory, 174–178, 175–177 Site Recovery Vaults, 218, 219–220 site-to-site (S2S) VPNs, 143 basics, 143–145, 144–145 forced tunneling, 156–157, 157 gateways See gateways for site-to-site VPNs limitations, 164 virtual network-to-virtual network connectivity, 160–161, 161–162 size selection for virtual machines, 38 Skynet, 324 SLAs (service level agreements) ExpressRoute, 168 fabric controllers, 13–14 SLES (SuSE Linux Enterprise Server), 39 -Slot Production parameter, 105 SMA (Service Manager Automation), 55 benefits, 275 WAP, 284 SMB (Server Message Block) protocol, 85 SMI-S integration, 217 Snowden, Edward, 323 software, exposed, 317 Software as a Service (SaaS), 9–10, 9–10 solid state drives (SSDs), 67, 79–80, 83–84, 92 solutions in IaaS, 33–35 source IP in network security groups, 139 source ports in network security groups, 139 sparse storage, 68 special projects, | 357 358 | SPEED • SYSTEM CENTER SERVICE MANAGER speed ExpressRoute, 164 NICs, 107–108 S2S gateways, 152–155, 153–154 site-to-site VPNs, 164 SPF (Service Provider Foundation), 270 SQL Server in replication, 207–208 SQL Server Licensing Guide, 208 SSD Deduplicated tier in StorSimple, 92 SSD Linear tier in StorSimple, 92 SSDs (solid state drives), 67, 79–80, 83–84, 92 staffing for IaaS, 34 staging, VIPs in, 105, 106 Staging slots in Websites, 293 stamps in storage, 63–64, 83 Standard Edition for System Center, 266–267, 267 Standard tier for Websites, 295 Starboard for portals, 47, 48 Start-AzureVM cmdlet, 246 Start-AzureVNetGatewayDiagnostics cmdlet, 151 Start-CopyAzureStorageBlob cmdlet, 88 Start-DscConfiguration cmdlet, 254 startups, cloud for, states in virtual machines, 102–103 static IP addresses in ASR, 221–222 static routing gateways, 144 -StayProvisioned parameter, 103 Stop-AzureVM cmdlet, 103, 246 Stopped state in virtual machines, 102–103 storage, 65 cloud, domain controllers, 179 GRS See Geo-redundant Storage (GRS) premium, 83–84 virtual machines Azure Files, 85–86 Azure Storage See Azure Storage caching, 79–80, 80 disks and images, 84 large and high-performance volumes, 80–83, 82 storage accounts See storage accounts types, 65–74, 66, 69–71, 73 storage accounts attributes, 74–75, 75 IOPS throttling, 76 keys, 76–77, 77 limits, 25 replication, 77–79 VHD files, 213–214, 214 Storage Accounts per Subscription setting, 25 storage area networks (SANs), 16, 16 ASR, 217 clusters, 202 description, 2, 87 replication, 206 Storage Spaces technology, 81 StorSimple, 91–93, 92 subnets AD sites, 175 forced tunneling, 156–157 network security groups, 138–139 S2S gateways, 153–154 virtual networks, 125–129, 126, 128–129, 132 subscriptions Azure AD, 190–191, 191 ExpressRoute, 167–168 MSDN, 19–21, 20, 40, 40 PowerShell for, 239–243 Summary lenses, 48 Super Bowl and pizza, 6–7 SuSE Linux Enterprise Server (SLES), 39 swapping deployment slots, 293 Switch-AzureMode cmdlet, 247, 261 synchronization in Azure AD, 192–194 synchronous replication, 205–206 SYSPREP, 183, 256–258 System Center App Controller See App Controller Cloud Platform System, 289–290 DPM, 272 IaaS, 31–32 introduction, 266–268, 267–268 Orchestrator, 272–275, 273 panes of glass, 283–289, 286, 288–289 for portal limitations, 265 private clouds, 275–283, 278–279 SCCM, 269 SCOM, 271–272 SCVMM, 269–271, 270 Service Manager, 272–275, 273 System Center Configuration Manager (SCCM), 248, 269 System Center Data Protection Manager, 222–224, 224–225, 272 System Center Operations Manager (SCOM), 249, 271–272 System Center Orchestrator, 211, 272–275, 273 System Center Service Manager, 272–275, 273 SYSTEM CENTER VIRTUAL MACHINE MANAGER • VIRTUAL MACHINES System Center Virtual Machine Manager (SCVMM) ASR, 218–220, 220 HRM, 212–213, 212 overview, 269–271, 270 private clouds, 282–283 replication, 213 SMI-S integration, 217 T tables for Microsoft Azure Data Services, 14 Task Scheduler, 68 TDE (Transparent Data Encryption), 324 templates OS images, 84 resource group, 260–263 temporary drives, 66–68, 72 test and development, cloud for, Test-AzureName cmdlet, 46, 96, 244 Test-AzureStaticVNetIP cmdlet, 135 test disaster recovery, 205 Test slots for Websites, 292–293 thin provisioning, 68 threats See risks 3DES encryption, 145 throttling in IOPS, 76 tiers in StorSimple, 92–93 Titanfall game, 1, title bars for Azure portals, 42 TLS (Transport Layer Security), 323 tools for IaaS, 33 TPM (Trusted Platform Module), 324–325 trace logging in WAP, 287 299 Traffic Manager, 297–300, 297, transmission speed of site-to-site VPNs, 164 Transparent Data Encryption (TDE), 324 Transport Layer Security (TLS), 323 troubleshooting S2S gateways, 151–152 Trust Center, 320 trust in Azure, 316 Trusted Platform Module (TPM), 324–325 trusts in Azure AD, 186 TTL setting for Traffic Manager, 299 tunneling, forced, 156–157, 157 Type setting for network security groups, 139 U unattend.xml file, 183, 257–258 unauthorized access, 321–322 | unplanned disaster recovery, 205 unpredictable bursting, 7–8, Update-AzureVM cmdlet, 235, 251 update domains in availability sets, 228–229, 228, 230–231 update status in Azure Operational Insights, 312 upfront investment for IaaS, 35 upgradeDomainCount attribute, 228 upgrading applications, 250 uptime SLA in ExpressRoute, 168 Usage lenses, 49 Use ExpressRoute option, 148 usernames for Websites, 296 Users tab for Azure AD, 194, 194 V vanity domains, 297 versions of images, 44 VHD Driver, 87, 87 VHDs, 68–74, 69 Azure Storage, 79, 88 IOPS limits, 83–84 virtual networks, 133 VHDX format, 3, virtual environment costs in IaaS, 31 virtual IPs (VIPs), 102–103, 102 dynamic, 106–109, 106, 109 load-balanced sets, 121 production and staging, 105, 106 reserved, 104–105, 104 virtual machines, 45–46 Virtual Machine Manager, 269–271, 270 virtual machines application upgrades, 250 availability sets, 228–234 Azure interaction, 54–57, 56 Azure VM Agent, 250–255, 255 backups, 248–249 bandwidth and support, 39 creating, 41 legacy Azure portals, 41–47, 42–47 Preview Azure portals, 47–53, 48–52 DNS, 136 firewalls, 250–251 IaaS-supported configurations, 57–60, 58–59 images, 258–259, 260 malware protection, 250 Microsoft Azure Compute, 13 migrating to Azure, 222–223 359 360 | VIRTUAL MACHINES • ZONE REDUNDANT STORAGE virtual machines (continued) monitoring, 249–250 moving to Azure, 256–257 patching, 248 replication, 209–210 size selection, 38 states, 102–103 storage See storage turning off, virtual networks adding, 131–133, 132 DNS, 136 multiple adapters, 137–138, 137 reserved IPs, 134–136, 134–135 VIRTUAL_NETWORK identifier, 140 virtual network (intra-vnet) routes in forced tunneling, 156 virtual networks affinity groups, 123–124, 124 basics, 123 creating, 127–131, 128–129 network security groups, 138–142, 139, 141 overview, 125–127, 125 VMs adding, 131–133, 132 DNS, 136 multiple adapters, 137–138, 137 reserved IPs, 134–136, 134–135 virtual private networks (VPNs) point-to-site, 162–163, 163 site-to-site See site-to-site (S2S) VPNs virtualization in private cloud, 3–5, vs private clouds, 277–280, 278 settings, 130 Visual Studio, 260 VLAN stretching, 168 VM Agents, 46 VM-GenerationID parameter, 179 -VNetName parameter, 157 VPNs (virtual private networks) point-to-site, 162–163, 163 site-to-site See site-to-site (S2S) VPNs W WAP (Windows Azure Pack), 268, 268, 283–289, 286, 288–289 Web Application Proxy, 309–310 Web Edition for databases, 15 Web Hosting Plan (WHP), 293–295, 295 web roles in Microsoft Azure Compute, 13 294–296 Websites, 291–297, WHP (Web Hosting Plan), 293–295, 295 Windows Azure Pack (WAP), 268, 268, 283–289, 286, 288–289 Windows Server Update Services (WSUS), 248 worker roles in Microsoft Azure Compute, 13 Write-Output cmdlet, 301 Write-Verbose cmdlet, 252–253, 255 WS-Management, 110 WSUS (Windows Server Update Services), 248 X XML files for virtual networks, 129–130 xplat-cli (Azure Cross-Platform Command-Line Interface), 247 Z Zone Redundant Storage (ZRS) for data loss, 322 overview, 77–78 WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA